CVE-2021-24551: 
WordPress vulnerability analysis and mitigation

The Edit Comments WordPress plugin through version 0.3 contains an unauthenticated SQL injection vulnerability (CVE-2021-24551). The vulnerability was discovered by Shreya Pohekar of Codevigilant and publicly disclosed on July 24, 2021. The plugin fails to properly sanitize, validate, or escape the 'jal_edit_comments' GET parameter before using it in SQL statements (CodeVigilant Disclosure, WPScan).

The vulnerability exists in the edit comment functionality, specifically in the jal-edit-comments.php file at line 52, where the 'jal_edit_comments' GET parameter is directly inserted into an SQL query without proper sanitization. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-89 (SQL Injection) (NVD, WPScan).

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the affected WordPress installation's database. Due to its unauthenticated nature and the critical CVSS score, the potential impact includes unauthorized access to sensitive data, modification of database contents, and possible complete system compromise (NVD).

There is no known fix available for this vulnerability as the plugin has been closed. The recommended mitigation is to remove the Edit Comments plugin from WordPress installations (WPScan).